CVE-2026-24398: Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing

January 27, 2026 (updated January 29, 2026)

IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The IPV4_REGEX pattern and convertIPv4ToBinary function in src/utils/ipaddr.ts do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls.

References

github.com/advisories/GHSA-r354-f388-2fhh
github.com/honojs/hono
github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37
github.com/honojs/hono/releases/tag/v4.11.7
github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh
nvd.nist.gov/vuln/detail/CVE-2026-24398

Code Behaviors & Features

Detect and mitigate CVE-2026-24398 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →